A revelation coming out of the Colonial Pipeline cybersecurity incident is how easily systems and data can be held hostage by bad actors through seemingly simple means. The Colonial event illustrates the importance of everyone involved in pipeline operations playing their part by practicing good cybersecurity hygiene.
Cybersecurity Hygiene Lessons Learned From Colonial
Colonial Pipeline CEO Joseph Blount revealed during a U.S. Senate committee hearing that the high-profile ransomware attack was launched because of one breached password. The cyber attackers exploited a legacy Virtual Private Network (VPN) system that was not currently in use — but was still active — and did not require multi-factor authentication (MFA) to access.
According to additional reports, the attackers gained access to the Colonial system through a password linked to the VPN log-in. Hackers discovered this single password in a batch of leaked passwords. In an example of poor cybersecurity hygiene, the same password to access the VPN was used on another account that was previously breached.
Therefore, the hackers were able to use the same leaked password to log into the legacy VPN network. And, compounding the issue is they did not have to complete a two-factor authentication such as a text message, phone call, or another secondary form of authentication.
An additional issue is that because the hacked VPN network username/password was no longer active, but not removed, the hackers had ample time to access company-wide systems and data before officially announcing their presence demanding a ransom.
According to the reported timeline, the bad actors gained initial access as early as April 29. The ransomware attack was officially launched on May 7, a week-and-a-half later. That gave the attackers enough time to sniff around, gather sensitive information, and compromise networks. Then, Colonial was forced to pay a ransom to restore the network that was held hostage and to prevent the release of sensitive information.
One of the next-level complications involved in this situation is that cyber attackers, in general, are seeking to cause more havoc. Not only do they want to hold one company’s data hostage, but they are increasing their efforts to seek out third-party information that is connected to the company they are exploiting.
For example, bad actors are now looking to access sensitive data from vendors, customers, and other third-party affiliates that would bring more companies into the mix to drive up the price of the ransom that is demanded.[ Listen to this month’s edition of the Pipeline Technology Podcast for more insight on this secondary fraud measure. ]
What Pipeline Operators Need to Do About Cybersecurity
One of the key takeaways from the Colonial incident is that pipeline operators of all sizes need to take preventative action beefing up their security efforts. This should be a group effort involving everyone in the operation.
– People: On the user side of the equation, are your people educated on cybersecurity? Do they understand their role in practicing good cybersecurity hygiene (e.g. frequently updating passwords and not using the same password for each log-in)?
– Alerting: Do you have an alerting system where your people can report suspicious activity? Or, do your systems and software have built-in alerting functionality to inform IT leaders of unusual activity?
– Hardware: On the technical side of the equation, can you account for each piece of hardware? Are your devices such as RTUs and PLCs updated and protected?
– Systems: Have you updated to the latest versions of the software you are using? Are your applications patch-current? Do you have legacy VPNs that are not in use, but still active that need to be taken offline?
– Communication: Is your chosen form of network communication from the field to the control room optimized? Is the data that comes into your SCADA system protected?
– Data: Do you have data backups in place to be able to recover systems or data if compromised? Are you constantly testing backups to ensure that you can prevent bad actors from gaining access?
There are numerous important questions that each pipeline operator needs to ask. By asking these questions, you will have a better understanding of your cybersecurity strengths and vulnerabilities to be able to create a roadmap for improvements.
Talk to EnerSys About Supporting Pipeline Cybersecurity Efforts
One password is all it took for threat actors to compromise Colonial Pipeline. As cyber attacks continue to rise in 2021 and beyond, we want to make sure your operation is cyber-ready.
Talk to us about reviewing your current technology challenges and performing an evaluation of your operation’s cyber readiness. Practicing good cybersecurity hygiene is more important than ever as cyberattackers continue to look for the smallest opening or vulnerability to gain access to entire networks.
Through the combination of our ComplyMgr software module and our subject matter expertise, we can perform a gap analysis. Through this assessment, we’ll help you determine the appropriate next steps to build a stronger cyber defense.